Written on: Aug 8, 2017 11:45:00 AM
Written by: Alex Raben
Share this post:
Today's topic, written by Mike Henry, Lead Data Protection Architect at COOLSPIRiT is about protecting data for when a Ransomware attack may happen, ensuring your Commvault environment is configured correctly in the event of an attack, ensuring safe restoration of data.
There are a number of things Commvault can do to help protect against Ransomware attacks. This includes increasing Commvault's Server security. The primary means of protecting the CommServe database is making sure the necessary physical, application and network security measures are taken. There are additional measures that can be taken and include configuration of the Microsoft SQL Server Instance or the Windows Server host used by the CommServe. These recommendations can be found on Microsoft's documentation.
Another way we can help combat attacks is by recommending limited access to the Commvault installation process. The customer can lock down installation folders to only the Commvault Service account and prohibit Sys Admins from using the account unless absolutely necessary.
An adequate Disaster Recovery procedure would also be advisable.
Relocating the Commcell Console and Web Console can help. At the time of installing the Commcell Console, the web server and web console components are automatically selected for installation only if IIS is installed. You can deselect these components during the install process as they don't have to be installed on the Commserve Host. If the Web Console and Web Server are installed on alternate hosts, it is important to have the firewall and SQL communications configured.
The Web-based Commcell Console can be configured to use SSL/HTTPS instead of the default HTTP which is unsecure. You can configure ISS (which is used for remote web access) to use a secure HTTPS web page for the CommCell Console.
There are other hardware based ways to protect against Ransomware and include hardening of the SQL DB such as renaming the SQL Server Administrator Account, changing SQL server ports, changing or hiding SQL server instance names, installing the Commserve component using a different SQL instance name.
Increasing Commvault's backup data security by having versions of the data from prior recovery points preserved in protected locations is also very important, ie. multiple copies of the data. By using a Commvault driver component, ransomware is blocked in from encrypting or deleting backup data from the media agent itself. Risk is reduced by having copy separation, different media agents, different sites and offline media. Using a cloud library is another possibility in that it is not visible to the OS local admin account off the media agent, unless a deep analysis attack has exposed the cloud user account credentials as well.
Commvault places check files in special areas that our service will monitor for changes. If those check files are altered an alert and notification are launched to investigate, react and take systems off the network before additional exposure can occur.
Other data management protection options include creating offline backup copies, replicating data using DASH Copy to a separate location and keeping the Media Agent from propagating Malware. This means we only copy data we manage therefore, if malware got into a storage area we were using, for example, we do not blindly replicate all the contents. We track and monitor what data copies and instances we have written to location 1 and only replicate those contents to the other managed copy in location 2. This is more secure as compared to third party storage replication methods which will move all contents – since they do not have the indexing and intelligence.
For laptops, there is the option to wipe the laptop and restore the data from a prior, unaffected backup. We also maintain multiple versions to restore. Another way to stop the spread of the infection is to change the OS as well. There is a procedure that we can supply for this.
We hope our Commvault users find these tips useful. If you have any question or would like to talk to the team further, then get in touch today on 01246 454222
Watch our video and learn why COOLSPIRiT are a leading Commvault partner in the UK: http://www.coolspirit.co.uk/partners/commvault